Equifax: Let the Blame Game Begin

Equifax Blames Apache –> Apache rebuts; in the end Consumers still Lose

Equifax appears to be blaming a vulnerability in the Apache Software Foundation’s Apache Struts Web Framework, according to a post on Apache.org. The Apache Struts Project Management Committee’s post (PMC) goes on to say that the assumption that the Equifax breach may have relied on a vulnerability in the struts framework that was discovered on September 4, 2017. The post posits that this indicates that if the attackers relied on this vulnerability this would be a zero-day exploit since the issue was not detected until well after the attacks which took place starting in mid-May of 2017. Furthermore, the PMC’s post asserts that this particular exploit outlined in CVE-2017-9805 may have existed for nine years, however, it was not a known issue during that timeframe and in fact the PMC asserts that as soon as Apache became aware of the issue a fix was developed and made available.

PMC’s post goes on to outline a few key steps that businesses and individuals using Apache struts (or any other supporting software) should implement:

inventory the frameworks and libraries you are using in your software development and products and maintain visibility into new releases, patches, vulnerabilities, etc. for each of those;

create and utilize a process to test and roll-out security fixes in shorter time-periods (e.g. days vs. weeks);

don’t build your products on the assumption that the software you are using is flawless;

create security layers — don’t create a situation where a breach from the presentation (e.g. webpage layer) can endanger underlying back-end data; and

establish baselines to monitor for unusual traffic or data flows which will help to identify network anomalies and potential intrusions and exfiltrations.

<opinion>

Dear Equifax:

please wake up and realize that finger-pointing, trying to blame Apache or any other software products, in addition to the incredibly poor-timing of the executive stock option sales before this breach was made public are not going to help you in the court of public opinion, nor in any court of law where jurors may sit.

As a consumer, and a business professional it would have been reassuring to learn that the breach was only to grab encrypted records, since that is how you should be storing our data, or to learn that you were giving those executives the boot since the mere appearance of impropriety was tantamount to deceit and malfeasance. However, you chose instead to state that the executives had no idea there had been a breach days after it was discovered (in spite of the fact that the breach had been underway since mid-May) and then to assert that it wasn’t really your fault since the attacker used an exploit to exfiltrate unencrypted records. Furthermore, if Equifax had done input validation or sanitization then the vulnerability in struts could not have been exploited in the first place, see this post from Imperva.

Needless to say, at this early stage in the game, Equifax’s handling of this breach since it was discovered appears to be a case study in what not to do. As Equifax’s shares continue their downward movement and as consumers and businesses alike start to realize the repercussions of this breach, it is unlikely that Equifax has issued a single statement or taken a single step to help themselves, or their consumers and users.

Several days after the breach was disclosed, some Equifax executives were able to sell their stock at $145-$146/share — today Equifax shares closed at $113.12 Meanwhile 143M of us are waiting to sign up for “free” credit monitoring so we can see when someone tries to use this data to steal our identities. However, as the OPM breach taught us, data is worth so much more than just identify theft. Once you get enough data points on a person the sky’s the limit.

In short, thanks for encrypting our precious data that would have cost you a little bit of money and would have slowed down some of your back-end processes but would have made the attackers work a whole lot harder to grab our data (in a readable and usable format).